smart search

Wordpress Security issue true or false?

Written by me@grafxflow -
17 Apr, 2013

As many WordPress Developers are aware at the moment (April 2013) there are various blogs bringing up the subject of security and WordPress. So what's the solution? Well in my books it's a case of common sense from both the developer and the client.

So before I go through the different solutions for WordPress, let me first point out the plain simple fact that you will never be able to make anything 100% secure. But the following should make life that little bit more difficult for those who want to hack into your site(s).

Security Option 1.

The obvious and easiest/lowest level of security is to change the default administrator name which WordPress installs, which as we all know is admin. When renaming it try NOT to be clever and use your actual website name as the admin name, trust me this is also guaranteed to be another name they will try it use to login.

Security Option 2.

The next level-up is the use of a 'Password'. Don't just use a plain simple word which can be found in any dictionary. Try to use a mix of UPPER and lowercase characters, even insert numbers and special characters such as underscores(_) or stars(*) etc. If you really want to make it secure try to generate a password which uses a variety of all of these such as gRS$76=A-V?936R. Yes I know this seems extreme but it best to be secure. An example of a website which generates such things is strongpasswordgenerator.com

Security Option 3.

Now for level 3 which is targeted more at developers. One of the well known issues of WordPress are its urls that you need to simply login and access the administration www.yourwebsite.com/wp-admin/ and www.yourwebsite.com/wp-login.php. I guarantee if you are able to track your websites visitors and the pages they are viewing, there will be hundreds accessing the above urls trying admin as the username, hopefully with no success!

You really want to be able change/customise some or all of these urls to your own liking www.yourwebsite.com/custom_admin/. One such plugin is Better WP Security which not only allows you to reword one of these (/wp-admin/) but also has various handy little tools for securing WordPress, such as checking vulnerabilities of your website that may exist, tracking those suspicious characters trying to access your admin and even gives the option to block them altogether (But I would suggest you always be careful/sparing when using this or any other plugins blocking option). Also another nice little option is to do a scheduled database backup and have it sent to your email account automatically.

Another handy plugin is Wordfence which can check core files on the server for dodgy code amends and even allows you to view the exact lines of code that have been changed similar to GitHub. It again has many features such as blocking visitors, but what is nice is the ability to view them live and have the page refresh accordingly with all the relevant details (username, or IP and the pages they are visiting etc).

I could go on... and on... listing several other plugins which all have their own pros and cons, but for this article I have listed the most popular at this current time. One extra tip I would give is try not to limit yourself to one plugin but probably use a combination of several... the more the better. You may actually find they enhance each other and increase the difficulty level for the hackers.

Security Option 4.

The last and highest level of security is to actually program your own functions (I make it sound so easy!), maybe from scratch or integrating/extending them with WordPress's own built in core functions. Be pre-warned, DON'T edit the core files themselves because once WordPress updates you will loose everything!

Now for some of you WordPress experts reading this, options 1 and 2 must seem fairly obvious and may even be thinking that I am waisting a little bit of space of the world wide web by pointing this out. But I have witnessed many people both developers and clients who even miss these.

So to conclude... I hope this has been of some help no matter what level of expertise you may have in WordPress. Even if it's a case of only being able to implement stages and 1 and 2, it's a step up from the default security settings. I also know it may seem like I am picking on WordPress but lets face it... you could tag the same issues to any freely available open-source CMS or E-commerce. Remember not everybody downloading open-source CMS has good intensions.

me@grafxflow

I am a Full-stack Developer who also started delving into the world of UX/UI Design a few years back. I blog and tweet to hopefully share a little bit of knowledge that can help others around the web. Thanks for stopping by!